cvedb.io
CVE-2024-45308
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2024-09-02T18:15:37.150 · Last modified 2026-06-17T07:53:59.763

Summary

HedgeDoc is an open source, real-time, collaborative, markdown notes application. When using HedgeDoc 1 with MySQL or MariaDB, it is possible to create notes with an alias matching the ID of existing notes. The affected existing note can then not be accessed anymore and is effectively hidden by the new one. When the freeURL feature is enabled (by setting the `allowFreeURL` config option or the `CMD_ALLOW_FREEURL` environment variable to `true`), any user with the appropriate permissions can create a note with an arbitrary alias, e.g. by accessing it in the browser. When MySQL or MariaDB are used, it is possible to create a new note with an alias that matches the lower-cased ID of a different note. HedgeDoc then always presents the new note to users, as these databases perform case-insensit

Affected products

hedgedoc — hedgedoc

Does this affect you?

Add your gear to cvedb and we'll alert you only when hedgedoc ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.